Configuring SNMPv3

Problem

You want to set up the router to be an SNMP agent so your network SNMPv3 NMS system can monitor it.

Solution

First, define the NMS systems that can access the router and their passwords:

	[edit snmp v3]
	aviva@router1# set 
usm local-engine user nms1 authentication-sha authentication-
	password $1991poppI
	aviva@router1# set usm local-engine user nms1 privacy-des privacy-password $1991poppI

Then, define the MIBs to which the users have access:

	[edit snmp]
	aviva@router1# set view chassis-info-only oid jnxBoxAnatomy include
	aviva@router1# set view chassis-info-only oid snmpMIBObjects include
	aviva@router1# set view chassis-info-only oid system include

You create groups and assign users to them and then define access privileges for each group:

	[edit snmp v3]
	aviva@router1# set vacm security-to-group security-model usm security-name nms1 group
	chassis-only
	aviva@router1# set vacm access group chassis-only default-context-prefix security-
	model usm security-level privacy read-view chassis-info-only
	aviva@router1# set vacm access group chassis-only default-context-prefix security-
	model usm security-level privacy notify-view chassis-info-only

 

Discussion

The basic SNMPv3 setup is similar to the SNMPv2 configuration. You define the NMS systems that can make SNMP requests to the router and which MIBs they can access. In the recipe shown here, we give access only to the objects related to the hardware chassis components.

SNMPv3 uses a USM for security, which you configure in the usm statement hierarchy. Each NMS system is a user. For each user, configure an authentication type and password to ensure that the SNMP messages come from a trusted source. Here we have configured SHA1 authentication. USM also supports MD5 authentication, which you configure with the authentication-md5 keyword.

To protect the SNMP message payload, you encrypt it, here with DES. The CLI converts both passwords into keys:

	[edit 
snmp v3 usm local-engine]
	aviva@router1# show
	user nms1 {
	 authentication-sha {
	 authentication-key "$9$5Qz6u0IrlM0OLxN-2gUjH.mTFn/CA0aZFnCtOBNdVbgoGDiPfzGU.
 5TzCAM8LXbs24aZGiM8ZUjHmPRhcyM8-ds2aZVb.
	Pf5F3SrlKLxdVYaJDKMjHqmTQreKMNds24Djq8XGDjkPfylevxN4aZqP5LxDiHqQz369CtOhclKWLz3cyrK8L
	JGUDqm"; ## SECRET-DATA
	 }
	 privacy-des {
	 privacy-key "$9$bcsYoji.zF/iHAp0OcSM8XN-w24aZGilK24ZUHk0B1ISrvWLdVYvMNbwYZG/
	CAtIEcylKvL/CKM8X-dmf5Q/COBEclK1INdVb2gTzFnApB1hleWn/8X7-wsz3n/
	0BEcyW87CtvW8xdVQF36p0ylK7dbApWLX7sYgoJZUHf5Fn9AYg5QznCAevMW7-"; ## SECRET-DATA
	 }
	}

As with SNMPv2, you create views to define which MIB branches the NMS systems can access (use the view statement at the [edit snmp] level, not at the [edit snmp v3] level). The view we configure, chassis-info-only, allows access to the Juniper Networks enterprise chassis MIB and to portions of other MIBs that retrieve chassis-related information. Because we use the notify view for the chassis-only group, we need to allow the sysUpTime object, which is part of the system OID. The notify view is used when the router sends SNMPv3 notifications (informational messages and traps) to the NMS system. We show how to configure notifications in Recipe 4.15.

Next, define the NMS system's access to the router (in the vacm statement hierarchy). SNMPv3 uses a VACM to grant access privileges to groups. You create groups that are identified by a name, then assign the desired access. A group is simply a collection of NMS systems (users) that are defined in the USM and that share the same access privileges (set in the access statement hierarchy). Here, we have a group called chassis-only that includes our NMS system nms1.

In the access commands, set the security and access privileges for the group. In our recipe, the security model is USM and the security level is privacy, which authenticates all messages and encrypts the message payload. You can also choose authentication, which provides only authentication, and none, which provides neither. The read-view and notify-view statements set the access privileges for incoming NMS requests and outgoing notifications, respectively.

To see the SNMPv3 configuration settings, use the following command:

	aviva@router1> show snmp v3
	Local engine ID: 80 00 0a 4c 01 c0 a8 47 f6
	Engine boots: 123
	Engine time: 24951 seconds
	Max msg size: 2048 bytes
	Engine ID: local
	 User Auth/Priv Storage Status
	 nms1 sha/3des nonvolatile active
	Group name Security Security Storage Status
	 model name type
	chassis-only usm nms1 nonvolatile active
	Access control:
	Group Context Security Read Write Notify
	 prefix model/level view view view
	chassis-only usm/privacy chassis-in

The JUNOS structure for configuring SNMPv3 follows the structure of the protocol specification itself. Because it is a bit complex, it's worthwhile to look at the SNMPv3 portion of the configuration file that is created by the commands in this recipe, along with some added comments.

	aviva@router1# show | except SECRET-DATA
	v3 {
	 usm { # <-- which NMS systems can access the router
	 local-engine {
	 user nms1 {
	 authentication-sha {
	 privacy-des {
	 }
	 }
	 }
	 }
	 vacm { # <-- what the NMS systems can access on the router
	 security-to-group { # <-- which access group each NMS is in
	 security-model usm {
	 security-name nms1 {
	 group chassis-only;
	 }
	 }
	 }
	 access { # <-- which MIB views the NMS systems can access
	 group chassis-only {
	 default-context-prefix {
	 security-model usm {
	 security-level privacy {
	 read-view chassis-info-only;
	 notify-view chassis-info-only;
	 }
	 }
	 }
	 }
	 }
	 }
	}
	view chassis-info-only { # <-- define a view that allows all chassis objects
	 oid jnxBoxAnatomy include;
	 oid snmpMIBObjects include;
	 oid system include;
	}



Router Configuration and File Management

Basic Router Security and Access Control

IPSec

SNMP

Logging

NTP

Router Interfaces

IP Routing

Routing Policy and Firewall Filters

RIP

IS-IS

OSPF

BGP

MPLS

VPNs

IP Multicast



JUNOS Cookbook
Junos Cookbook (Cookbooks (OReilly))
ISBN: 0596100140
EAN: 2147483647
Year: 2007
Pages: 290
Authors: Aviva Garrett

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net